Security Through Boredom

Menu

Post navigation

Why You Should Use NoScript

It’s commonly said that the browser and its plugins are the number one attack point for the average user. So locking down the browser is obviously key to maintaining a secure system. I’ve written a guide for Firefox as well as Chrome, but I want to take a post to really focus on the NoScript extension for Firefox.

NoScript is an open source project that aims to secure the browser. It prevents code from executing in the browser, such as Java, Flash, Javascript, Silverlight, or any other plugin, and it provides a few other features as well. It’s probably the number one best way to secure Firefox.

NoScript has three main modes:

1) Globally deny all scripts

Scripts on any webpage are blocked until whitelisted.

2) Allow Top Level Domain

Scripts from the top level domain (ie: the website your on, no third party content) are allowed to run, all others blocked.

3) Allow all scripts globally

In terms of security, it pretty much goes 1 > 2 > 3.

By blocking all scripts you prevent any attack that needs to make use of Javascript, Java, Flash, or another plugin. That covers the absolute vast majority of attacks we see against users.

NoScript’s default setting, deny all scripts, may be a bit overbearing for some. But even if you can’t handle having the default setting I still suggest installing NoScript and leaving it on 2 or 3, which are more manageable but still provide security features.

Even if you allow all scripts globally NoScript will do the following:

XSS Filter

NoScript includes its own XSS Filter, and it’s pretty great. XSS (Cross Site Scripting) is considered one of the most dangerous threats to security and NoScript provides a very strict filter, stricter than browsers include. Even if you whitelist globally you benefit from the XSS Filter.

HSTS

NoScript can also force HTTPS redirection for websites, preventing MITM attacks on specific sites. NoScript also has Hyper Strict Transport Security support, which means that websites can tell it to always enforce HTTPS and it will. This feature is also present even with all scripts allowed.

ClearClick

NoScript provides Clickjacking protection via ClearClick. Clickjacking is a type of attack that takes advantage of invisible content. You think you’re clicking one thing but you’re actually clicking another. ClearClick reveals hidden attributes on a page any time you interact with it, and blocks that interaction. This defeats Clickjacking independently of Javascript/ iFrame blocking.

ABE

ABE, or Application Boundary Enforcement acts as a broker to determine whether separate web applications should be given specific rights – it provides isolation at the web applications level.

So it’s clear that even with NoScript set to Globally Allow you’re much better off than a vanilla Firefox. I highly recommend that if you’re a Firefox user you make use of NoScript at its default setting, but just having it installed for any of the above features is a good idea. It’s a great tool for preventing tracking and ensuring privacy on the web (there’s a reason why TOR uses NoScript!) as well as preventing exploitation.